Link List

Sponsored by..

Friday, 30 July 2010

Latvia seems to be getting a bad reputation for supporting criminal activity. The latest accomplice is Microlines (microlines.lv) who mix in a large number of bad sites with a few legitimate ones.

Their netblock AS2588 (79.135.128.0/19) actually ranges from 79.135.128.0 - 79.135.159.255, although the badness is concentrated in 79.135.152.0/24, all legitimate web sites are hosted outside of that /24.

I used the MyWOT API to query the reputation of the hosted domains, and it shows a clear differentiation between the /24 and the rest of the /19. You can download a CSV of the analysis from here.

Out of 157 domains looked at, 4 (2.5%) were rated "excellent", 3 (1.9%) were rated "good", 43 (27.4%) were unrated and 107 (68.1%) were "very poor". You might want to block the whole /19 on that basis, certainly you should block 79.135.152.0 - 79.135.152.255 at the very least.

We've seen this scam before, an alleged Chinese registrar claims that someone is buying a domain name similar to the one that you want in an attempt to scare you into buying overpriced domains that you do not need.

Our organization received a formal application from a company who is called Toyton Ltd are applying to register "[domain name redacted]" as their domain name and Internet keyword. In order to prevent cyber piracy,Please explain:

1: Whether this company is your IT supplier or distributor.

2: Whether you are interested in registering these domains first to preservation your company’s brand. (.cn .com.cn .net .asia .eu and keyword etc…)

We are now obligated to inform you this issue ,So we will handle the next step after this audit procedure. Pls understand.

Confidentiality Statement:
The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not an intended recipient, any disclosure, copying, distribution, or other action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you have received this message in error please be advised of your obligation to immediately notify sender of the error in transmission, and to destroy all associated documentation.

I always love confidentiality statements on spam!

Both domains are Chinese registered and are hosted in Hong Kong. The email comes from a Chinese IP address.

Registrars are not responsible for checking trademarks. If they were then domains registration would take days and cost a fortune.This is simply an attempt to rip you off.

Thursday, 29 July 2010

A slightly novel attack, found injected into a Javascript library and using freshly-registered domains. The attack uses obfuscated Javascript to send visitors to one of the following domains: myads.name, adsnet.biz, toolbarcom.org, mybar.us, freead.name, and to the front of this is appended a subdomain of vagi., vain., vale., vars., vary., vasa., vaut., vavs., viny., viol., vrow., vugs., vuln.

Despite all the combinations (a list is at the bottom of the post if you want to paste it in somewhere), there are only a small number of IP addresses involved:

Although the address and phone number are no doubt fake, the email address of dday.rabbit@gmail.com is known.

The next hop uses a subdomain of a legitimate domain registered at GoDaddy that appears to have been phished: out.outdoorkitchendistributors.com - this site is hosted on 94.75.243.31.. it's just worth pausing to note that the legitimate domain specchart.com also appears to have been hijacked via a GoDaddy phish and moved to this server.

The endpoint is a Java exploit on a server at 79.135.152.194 belonging to microlines.lv (AS2588 / 79.135.128.0/19) which appears to be a pretty evil network. How the hell they got a /19 is a mystery when I can't see any verifiably legitimate sites.

I've never heard of M247 Ltd before today until their network came up as providing infrastructure for this scam. A few IPs over from that server is another one at 89.238.165.197 which contains three phishing sites:

Ibloqin.com
Lloydststb-offshore.com
Nbtibank.com

The sites are currently only displaying "Suspended" if you visit them.. this means nothing though, and it's a fairly common scammer technique to disguise that the site is active. Avoid.

There are a lot of these going on at the moment, this is another fake job offer trying to rope unsuspecting applicants into doing something illegal.

Date: 29 July 2010 08:23
Subject: Representatives Wanted

Civilities

I am a manager of the HR department of a large multinational company. Our company covers a wide range of businesses:
- supporting business in Europe and other countries
– bank accounts opening and maintenance
– private undertaking services
– etc.

There are vacant positions of regional managers in Europe:
- salary 2.400 dollars + bonus
- 1-2 working hours per day
- flextime

Wednesday, 28 July 2010

This is some sort of money laundering or parcel reshipping scam. The domains west-epec.com was registered just yesterday but it appears not to be resolving properly.

Date: 28 July 2010 13:36
Subject: vacancy #876

I am writing to you in the name of the corporation the Human Resources department of which I represent.

Our enterprise has a lot of different lines of business.
-real property
-business support
-company dissolution
-private firm service
-etc

There is a vacancy of a Regional manager in Europe:
-compansation package 2.300 euro +bonus
-taskwork

- 'open-leave' schedule

If you have an intention to cooperate with our company, please send your contact information on our e-mail: Darla@west-epec.com
First Name:
Country of living
City
mail address:
Contact telephone number

Remark! Applicants with the permission to work in Europe!

Please let us know you contact information.
Our manager will contact you to provide answers for the questions you are interested at and invite you for brief interview.

The WHOIS details are probably fake, but consistent with a large number of other fake job websites.

Scams evolve in much the same way as plant or animal life. Unsuccessful scams become extinct, very successful ones tend to explode in numbers to the point of over population. In between are a number of scams that inhabit ecological niches where there is just enough return to make them worthwhile.

Do you need a loan to pay off your bills and clear off your debt? Do you
have an urgent loan or a business loan? You are refused a loan from your
bank or any financial firm? Do you need a loan to pay off your bills or
buying a house? Do you need a loan to start a business? Get anaffordable
loan at a low interest rate of 3%, contact us at:
lapo.loancompany1@gmail.com

Obviously it's dodgy.. how many loan companies use a free Gmail address? Digging deeper shows that this originates from 41.217.220.212 (mail.zimele.net) in Kenya. What you can't tell is that the email address has been harvested from a data breach (either accidental or deliberate) at 0catch.com.

Now, most novice users won't know how to inspect mail headers or be able to trace back where the email address came from, but the Gmail thing is a huge red flag. But honestly, the whole pitch is frankly sloppy, badly spelled and unbelievable.. but the thing is that people must fall for this scam (presumably an Advanced Fee Fraud or identity theft gig) from time-to-time, else the scammers wouldn't persevere with it.

Tuesday, 27 July 2010

This story from Brian Krebs caught my eye, a quick bit of background digging on check-crypt.com revealed a whole new Evil Network in Moldova called Najada Ltd on AS49544 (91.216.122.0/24). The IP address range of 91.216.122.0 - 91.216.122.255 appears to have no legitimate sites at all, featuring fake businesses (including a bunch supposed to be in Finland), illegal downloads and sites with variants of the name Google in them which is never a good sign.

The best thing to do is block traffic to this IP range and/or the domains listed below. Note also that sending abuse reports to abuse@mdhoster.net (who manage the netblock) will possibly be counter productive, so don't bother.

Paul Badji is a real diplomat at the UN, this email is NOT from Paul Badji. The UN's name has been used this way before, notably with Ban Ki-moon's name attached. This email is probably the usual Advance Fee Fraud approach, using a couple of links to reputable websites to try to make it look more authentic. Avoid.

Unusually for what appears to be an African scam, the originating IP is 89.39.24.2 in Romania.

Greeting to you, I am Mr. Paul Badji Chairman on human right Exercise Committee (CHREC ) on the Inalienable Rights of the People a member of Africa Union Committee and Special Adviser to Mr. President. Sir, your file appears in my office four days ago Through FMS Headquarter. that you are the beneficiary to receive payment of fifteen million British pound on behalf of Late Mrs.Veronica Daniela from Ukraine, Europe, Former Managing Director of Mobile oil and Gas Company Nigeria Ltd. who died in plan crash on Sunday, Oct 22nd, 2005 .

when a Bellview Airline Boeing 737 crashed in the countryside shortly after takeoff from the commercial capital Lagos, 117 people died .therefore the Bellview Airline's management and Mobile oil and Gas Company Nigeria Ltd, has deposited fifteen million British pound at First Bank Nigeria Plc on behalf of Late Mrs.Veronica Daniela, Signed approved by secretary of state on Friday 16 2nd July 2010, please confirm the accident picture to find the true of these site click here: http://www.1001crash.com/index-page-description-accident-Bellview_B737-lg-2-crash-6.html

there for you are to receive this fund in your name as the next of kin which appear in the file, This is to notify you that the Two companies have agreed to pay fifteen million British pound to you in your name on behalf of Late Mrs.Veronica and to change the decease name to your name. This is regarding the draws organized lately to help individuals whom have lost their earnings in this act. on Sunday, Oct 22nd, 2005 . . And to build true organizations so as to help the less privileged in the society. you are therefore advised to contact Correspondent paying Bank, First Bank Foreign Remittance Department Chief Director Operations & Services. Requirement is requested by your full Name including your home address, country. And your private telephone number to confirm the file here and to release the fund to you. For more information you are to contact via Email below.

Thank you and God bless
Mr. Paul Badji
Special Adviser to Mr. President
Chairman, Committee on the Exercise
of the Inalienable Rights of the People.
Africa Union Committee (AU)
N:B website
Contact Email: badjipaul@rocketmail.com
http://www.africa-union.org/root/au/index/index.htm

A couple of interesting news stories recently illustrate the dangers of "Romance Scams" or Dating Scams which illustrate the dangers involved. In one, a woman called Brenda Parke details how she was ripped off by a fraudster to the tune on £57,000.. and kudos to her for having the courage to come forward and shine a light on this activity.

But this isn't the only case, a recent BBC Crimewatch film reveals more about this operation, leading to a successful capture of a romance fraudster in Ghana. In this case the victim had sent £45,000 already and was about to send a staggering £120,000 before the police intervened.

Although most of the dating scam spam I see is Russian in origin, it is also a major criminal activity in Ghana in particular.

A ridiculously long and horribly written scam email about winning a Toyota, email relayed through 60.251.190.235 in Taiwan, but apparently soliciting replies to an email address in Hong Kong while claiming to be based in Thailand. It is (of course) some sort of Advanced Fee Fraud. Incidentally, the +(66)896734792 telephone number is Thailand and is well known for being connected with scams.

We are pleased to inform you of the result of the just concluded annual final draws held on the IST OF January,2010 by Toyota Motor Company in conjunction with the Japan International Email Lottery Worldwide Promotion,your email address was among the 20 Lucky winners who won US$1,000,000.00 each on the Toyota Motors Company Email Promotion programme dated as stated above.This is from the total price of $20 million United State Dollars ($20,000,000.00usd)shared among the 20 lucky winners,you are therefore approved for a lump payment of US$1,000,000.00 Dollars,in cash ,including a Toyota car which is the winning present /amount for the Second category winners.

However the results were released and declared on the 5TH OF MAY 2010, and your email address attached to ticket number 4500542188(TMPWAYZ20051), with serial number 454-17 drew the lucky number 3,8,13,22, 5, 0,27,41 and bonus number 12,your Reference Number:FLS433/453L/GMSA. The online draws was conducted by a random selection of email addresses from an exclusive list of 35,031 E-mail addresses of individuals and corporate bodies picked by an advanced automated random computer search from the internet. However, no tickets were sold but all email addresses were assigned to different ticket numbers for representation and privacy to make sure the money reaches you.

The selection process was carried out through random selection in our computerized email selection machine (TOPAZ) from a database of over 250,000 email addresses drawn from all the continents of the world. This Email Lottery Promotion is approved by the Japanese Gaming Board and also Licensed by the The International Association of Gaming Regulators (IAGR).This lottery is the 3rd of its kind and we intend to sensitize the general public about toyota motors 2010 new cars(Toyota motors 2010 latest cars).As indicated by the computerized selection machine,your lucky winning number falls within our Asia booklet representative office here in THE KINGDOM OF THAILAND as showed in the coupon.

For security reasons, you are advised to keep your winning information confidential and private until your claim is processed and your money remitted to you in whatever manner you deem fit to claim the prize money and the toyota car your winning present.This is part of our precautionary and security measure to avoid double claiming and unwarranted abuse of this program.In other to claim your US$1,000,000.00 winning prize,which has been deposited with THE MANAGEMENT AND BOARD OF UNITED TRUST BANK BANGKOK BRANCH THAILAND, Remember to indicate your reference Number (FLS433/453L/GMSA) to make sure the winning prize US$1,000,000.00 and the Toyota car reaches you intact and complete.

The toyota car shipping documents will be forwarded to you to claim ( A toyota car which is the winning present for second category winners) in any port of your choice,once your winning amount US$1,000,000.00 processed and transfer to you.
However,you are required to fill the form below,together with the name of the port where your winning present a toyota car should be ship to and send it to the online promotion manager of THE TOYOTA MOTOR CORPORATION for verification and then you will be directed to the paying bank above for immediate process and approval of your winning fund and shipping of your (TOYOTA CAR) where the sum of US$1,000,000.00 has already been deposited in your favor under your email address.

You are to keep all the winning information away from the general public especially your ticket number and ballot number.(this is important as a case of double claiming will not be entertained) Staff of Toyota Motor Company and the Japanese International Lottery Company are not to partake in this Lottery. Accept my hearty congratulations once again! for being selected among the 20 lucky winners .

Thursday, 22 July 2010

A variation on this hoax email analysed at Hoax-Slayer indicates that someone has a grudge against Research in Motion (who make the BlackBerry range of smartphones) in South Africa.

There's a watermarked image stolen from Mobile Gazette to go with it (who are nothing to do with the hoax).. now with a blurry couple of photos from people claiming that they have their free BlackBerry.

This is just a hoax.. nobody is going to send you a €400 smartphone (about 3800 rand) for forwarding a few emails. It probably just exists to harass the company or whoever "Amanda Lee" might be. Don't forward it.

Dear All,Blackberry is giving away free phones as part of their promotional drive.All you need to do is send a copy of this email to 8 people; and you will receive your phone in less than 24 hrs.Please note that if you send to more than 20 people you will receive two phones.Please do not forget to send a copy to: amanda.lee@blackberry.co.zaWith Regards,Amanda Lee (Marketing Manager)Office Number: 0117838512

Wednesday, 21 July 2010

Hotbar.com probably needs no introduction as an unpleasant piece of Slimeware, picked up from the ruins of Zango by a Washington State company calling itself Pinball Corporation. Traditionally, companies like Zango and Pinball work on a pay-per-install basis for their software, and recruit affiliates to get the software installed on end user's machines. Anyone who deals with affiliate marketing knows that the actions of your affiliates reflect on the company itself.. you don't want dodgy affiliates tarnishing your reputation.

This particular affiliate of Pinball Corporation does seem to be pretty deceptive though, targeting naive users who don't check what they are downloading properly.

Is earthi0-3d.com Google? Of course not! But it relies on users not to check before they click through..

Google's logo is displayed prominently on the landing page, the whole page really does look like it is from Google, but scrolling down reveals the truth.. in pale grey text on a white background to make it difficult to spot:

This website has no partnership whatsoever with the owner or manufacturer of this software program, and provides ONLY a link to the program.
New computer users should find our services valuable, and a time saver. If you are an advanced computer user, you probably don't need our services.

Well, it doesn't just provide a link to download the program.. clicking "Free Download" reveals the payload of a mixture of HotBar, ShopperReports, Blinkx and QuestDNS adware.

..but you have the read the small(ish) print. The Google Earth logo is still prominently displayed, along with a great big "Start" button. Now, to be fair it is all spelled out in black and white with links to the EULA, but displayed in a much smaller and less prominent manner than the Google logo.

It's not just Google Earth that is targeted in this way, the server that hosts earthi0-3d.com, 174.121.90.107 [ThePlanet.com], also hosts a shedload of other domains that masquerade as well-known applications.(Sorry, it's a long list.. but there's more after it).

You can probably safely block these IPs and all of these sites, there doesn't seem to be anything of value here.

This is definitely a somewhat deceptive approach to installation, but it does rely on a fair degree of user stupidity too. However, any IT person will probably tell you that there are a hard core of users who really are daft enough to fall for something like this, and really the best thing that you can do it pre-emptively block the whole lot.

There is a very questionable use of trademarks here, and perhaps some of those trademark owners might like to take some action of their own...

Saturday, 17 July 2010

Pollux Enterprise Ltd appears to be a genuine company in Hong Kong. This email claims to be from Pollux Enterprise Ltd, but isn't.. it's a Money Mule scam which is basically money laundering. Email originates from 95.154.240.2 which appears to be Turkish, not Hong Kong. Avoid.

If you have access to a computer, and have up to three hours spare time per-
week, would you like to work part or full time online from
home and get paid weekly? If yes, then please read carefully.
_____________________________________________________________________
ABOUT US
______________________________________________________________________
Pollux Enterprise Ltd was Established in 1999 in Hong Kong and we specializes
in worldwide export of fashion accessories, hair ornaments and fashion jewelry.
We strive to market chic and trendy accessories that intrigue fashion-conscious
ladies around the globe.

Backed by the vast manufacturing base in China and the East-West sensibility
uniquely found in Hong Kong,
______________________________________________________________________
JOB POSITION
_______________________________________________________________________
We are currently seeking part/full time employees for our ever-growing
Foreign Payment Receiving Officer. Through extensive demographic research, we
have discovered a wealth of untapped human resources that, for one reason or
another, need the freedom to work from home and consider becoming part of our company.
as part of our ongoing Multi Level Marketing Network, we seek capable individuals to work for
us as our representative.You can easily make $500 - $2,000 or more in a week by
working for us as Sub-contractor in your geographical location, you will be in charge
of collecting payment on behalf of our affiliates and Smallbusine ss organizations
that are registered under us. Note that no form of investment is needed from you and this job will take
only 1-3 hours of your time per week.
______________________________________________________________________
JOB RESPONSIBILITY
_______________________________________________________________________
The position of Foreign Payment Receiving Officer entails the following duties:
coordinate payments from our clients, receive payments which come in form of Certified
Check, process payments at your local bank, and forward 90% of funds
received to the proper branch office, as instructed.
The remaining 10% is your gratuity. Since this position
is need-based, you will have plenty of free time while enjoying a good income.
_______________________________________________________________________
RENUMERATION
_______________________________________________________________________
Ev ery assignment in form of payment received from clients, you're entitled to
10% which excludes the cost of processing western union to any regional office
accountant Also you get a monthly salary of $1500 which comes at the end of every
month, plus other incentives and benefits that accrue, which includes tax holidays.
________________________________________________________________________
INTERESTED APPLICANTS (HOW TO APPLY)
________________________________________________________________________
Interested applicants should reply with: